Cybersecurity incidents are now a predictable feature of doing business, not a remote IT problem. For boards of UK-listed companies on AIM, the Main Market and Aquis, cyber risk is a core governance issue – with real consequences for corporate value, regulatory expectations and, increasingly, the personal liability of C-suite executives and directors.
This article gives a practical, board-friendly overview of:
• How personal liability for C-suite executives and directors can arise in the cyber and data security context; and what the DSIT Cyber Governance Code of Practice is;
• The concrete steps boards of AIM, Main Market and Aquis PLCs should be taking;
• How MSP Company Secretarial, as a specialist company secretarial and governance adviser to a number of UK PLCs, can support boards in this area .
Personal cybersecurity liability for C-suite executives and directors
The legal landscape is evolving towards greater personal accountability for cyber and data security failures.
Cybersecurity governance and Companies Act duties
Two statutory duties under the Companies Act 2006 are particularly relevant:
- Section 172 – duty to promote the success of the company; and
- Section 174 – duty to exercise reasonable care, skill and diligence.
If the board allows the company to operate with inadequate cyber security controls or fails to protect personal data appropriately, that may be framed as:
- a failure to promote the success of the company (for example, by exposing it to foreseeable and avoidable loss, regulatory sanction or reputational damage); and/or
• a failure to exercise reasonable care, skill and diligence in overseeing risk management, security governance, and internal controls.
If the board allows the company to operate with inadequate cyber security controls or fails to protect personal data appropriately, that may be framed as:
- a failure to promote the success of the company (for example, by exposing it to foreseeable and avoidable loss, regulatory sanction or reputational damage); and/or
- a failure to exercise reasonable care, skill and diligence in overseeing risk management, security governance, and internal controls.
Where these duties are breached, the company and potentially shareholders may seek remedies against directors – such as damages, recovery of profits, or restoration of property – and shareholders may, in limited circumstances, bring a derivative claim for negligence, default, breach of duty or breach of trust under sections 260–264 CA 2006. While the threshold for such claims is high, the possibility is real.
MSP Company Secretarial can support your cyber governance processes. Speak to us to find out how.
Data protection and other avenues of director liability
In addition to the above:
- Individuals can be liable under the Data Protection Act 2018 for certain offences, such as knowingly or recklessly obtaining or disclosing personal data without the controller’s consent.
- Directors may face personal claims in negligence or other torts where their conduct contributes to loss.
- Minority shareholders may bring unfair prejudice petitions, and liquidators may pursue misfeasance claims in insolvency scenarios.
In the regulated financial services sector, the FCA has a range of disciplinary and enforcement tools; while historically cautious about pursuing individuals where they have met expected standards, it is increasingly focused on operational resilience and cyber risk as part of senior manager accountability.
Speak to us about cybersecurity governance.
What good C-suite behaviour and Cybersecurity governance looks like
To minimise personal exposure and demonstrate that they have discharged their duties in mitigating cyber threats, C-suite executives and directors should ensure that:
- the organisation has comprehensive and up-to-date cyber security and data protection compliance programmes;
- there is regular, structured reporting to the board from relevant advisers (internal and external), aligned to the DSIT Code’s principles; and
- board minutes clearly evidence active oversight, challenge and follow-through on cyber and data security issues.
1. Cybersecurity risk is now a mainstream board responsibility
As the impact of recent events on well-known companies has demonstrated, cyber attacks now threaten business continuity. Operational resilience, financial performance and cash flow, regulatory and legal compliance, and brand, stakeholder and market confidence are all at risk of significant damage from lapses in cybersecurity governance.
For Main Market companies, the UK Corporate Governance Code expects boards to maintain robust risk management and internal controls and to describe how principal risks (including risks to cybersecurity) are identified, managed and mitigated.
For AIM and Aquis companies applying the QCA Corporate Governance Code, cybersecurity risk plainly falls within the expectations around risk management, culture, stakeholder interests and maintaining effective internal controls – even if it is not called out separately.
In other words: cybersecurity risk is no longer just “an IT issue”; it is a board-owned strategic and governance issue.
MSP Company Secretarial are experts in governance and compliance processes. Speak to us to find out more.
2. The DSIT Cyber Governance Code of Practice – what it is (and what it is not)
The Department for Science, Innovation and Technology (DSIT), working with the National Cyber Security Centre (NCSC), has published the Cyber Governance Code of Practice (the “Code”). It is explicitly designed as a board-level governance framework: it sets out what directors should be doing to oversee risks to cybersecurity, not how to configure firewalls or patch systems.
Cyber risk purpose and audience
The Cyber Governance Code of Practice is a framework to guide boards and directors on governing cyber risk effectively. It is:
- developed by DSIT with NCSC and industry input;
- aimed at boards and directors of medium and large organisations (public and private); and
- intended to set out the most critical governance actions that directors are responsible for, forming part of a wider package including Cyber Governance Training and the NCSC’s Cyber Security Toolkit for Boards.
Crucially, DSIT is clear that the Code is not aimed at those responsible for the day-to-day management of cyber security. It is a strategic, oversight-level document, helping non-technical board members understand what “good” cyber governance looks like and what questions they should be asking.
The five principles of the Code
The Code is structured around five board-level principles, each with actionable steps and supporting training:
- Risk management – integrating cyber risk assessments into the company’s overall risk management framework and risk appetite.
- Strategy – embedding cyber resilience in business strategy, investment decisions and resource allocation.
- People – clarifying roles, responsibilities, skills and culture across the organisation, including at board level.
- Incident planning, response and recovery – ensuring the organisation can respond to and recover from incidents effectively.
- Assurance and oversight – obtaining adequate assurance (internal and external) that controls are effective and gaps are addressed.
While currently a non-statutory code, it is widely seen as setting the minimum expectations for responsible boards, and aligns with the direction of travel in wider regulation (including proposed legislation on cyber security and resilience and sector-specific regimes).
MSP Company Secretarial can help ensure your cybersecurity governance program is robust. Find out how here.
3. Practical cyber governance steps for PLC boards (AIM, Main Market, Aquis)
Below is a practical checklist, aligned with the Code, tailored for UK-listed PLC boards. These actions should be owned by the board but will typically be delivered through audit/risk committees, management, and external advisers.
Establish clear board ownership and structure
- Appoint a board-level cyber lead – often the Chair of the Audit/Risk Committee or a NED with relevant experience – and agree how responsibilities are split between the board and committees.
- Ensure that committee terms of reference explicitly cover cyber and information security (risk oversight, incident readiness, assurance).
- Make cyber a standing agenda item, with periodic deep-dives as part of the board’s annual calendar.
Integrate cybersecurity into risk management
- Confirm that cyber and information security risks are properly identified in the risk register, with clear owners, mitigations and metrics.
- Ensure the risk appetite statement explicitly covers cyber risk (tolerance for downtime, data loss, operational disruption, ransom payment stance, etc.).
- Require regular, board-friendly reporting on key cyber risk indicators, not just technical dashboards.
Set and oversee a cyber strategy
- Ask management to present a cyber and information security strategy aligned with the company’s broader business strategy and transformation roadmap.
- Test whether the strategy is appropriately resourced (budget, people, tools) for the company’s size, sector and risk profile.
- Ensure material projects and acquisitions include cyber and data security due diligence and integration planning.
Focus on people, culture and training
- Confirm that all staff, including contractors and critical suppliers, receive proportionate and regular cyber awareness training; insist on tailored training for high-risk roles (finance, HR, privileged IT users).
- Require board-level cyber governance training for directors so the board can challenge management effectively.
- Ensure HR and management processes (on-boarding, off-boarding, remote working policies, disciplinary processes) reflect cyber and data security expectations.
Cybersecurity Incident planning, response and disclosure
- Test whether the company has a documented cyber incident response plan, integrated with crisis management, business continuity, PR/IR and legal processes.
- Require at least annual incident simulations or tabletop exercises involving the board and C-suite – including scenarios where a breach may trigger regulatory notifications or market announcements.
- For listed companies, ensure the MAR and disclosure committee processes explicitly contemplate cyber incidents that might be inside information requiring prompt disclosure to the market.
Assurance and continuous improvement
- Seek independent assurance on cyber controls (for example, internal audit reviews, external penetration testing, or certification such as Cyber Essentials/Cyber Essentials Plus and, where appropriate, ISO 27001).
- Ask management to report regularly on findings, remediation plans and timelines and ensure progress is tracked at board/committee level.
- Periodically review whether the board has the right mix of skills and experience; consider NED appointments or external advisers to fill gaps.
Speak to MSP Company Secretarial about your cybersecurity governance strategy and board compliance here.
4. Specific cybersecurity governance considerations for AIM, Main Market and Aquis PLCs
While the principles are common, listed PLCs face particular expectations:
- Main Market – investors, regulators and proxy advisers increasingly expect clear disclosure of how cyber risk is governed under the UK Corporate Governance Code, including risk management and viability statements, internal control reporting and narrative on major incidents.
- AIM and Aquis – applying the QCA Code, boards should explain on their websites how risks are identified, managed and mitigated; cybersecurity management should be explicitly covered in those disclosures and in internal governance documentation.
- Across all markets – material cyber incidents may trigger MAR disclosure obligations, require data breach notifications to the ICO and affected individuals, and have implications for contractual commitments (for example, SLAs and data processing agreements).
Aligning with the DSIT Cyber Governance Code of Practice provides a credible, government-endorsed framework for satisfying these varied expectations in a coherent way.
5. How MSP Company Secretarial can help your board navigate cybersecurity governance
MSP Company Secretarial is a specialist company secretarial and governance advisory firm acting for a range of UK-listed companies on AIM, the Main Market and Aquis. Our team is known by boards and executives for being commercial, pragmatic and hands-on.
We are not a technical cyber security provider – and nor is the DSIT Code. Instead, we help boards make sure that the governance around cyber and data security is robust, documented and effective.
In practice, MSP can support by:
Board and committee cybersecurity governance
- reviewing and updating terms of reference, schedules of matters reserved, and delegated authorities to reflect cyber responsibilities;
- embedding cyber into annual board and committee workplans and agenda planning.
Framework and documentation
- aligning your risk management framework, risk register and risk appetite statements with the DSIT Code’s principles;
- ensuring cybersecurity incident response, crisis management and disclosure processes (including MAR and regulatory notifications) are clearly documented and board-approved.
Board reporting and evidence
- designing board-friendly reporting templates for cyber and data security so directors receive the right level of information and assurance;
- ensuring minutes, action logs and board papers clearly evidence directors’ oversight, challenge and decision-making in this area.
Interface with technical and external advisers
- helping the board to translate technical findings into governance implications;
- working alongside your CISO, CIO, external cyber consultants and legal advisers so that governance, regulation and disclosure are all properly joined up.
MSP Company Secretarial can help your Chair, CEO, CFO and fellow directors turn the Code into a workable governance framework that fits your company’s risk profile, listing market and strategy – and, in doing so, support both the protection of corporate value and the reduction of personal liability risk for senior leaders.
Contact MSP Company Secretarial
If you would like to discuss how MSP can assist your board with cybersecurity governance, please get in touch with our team here.
Cybersecurity governance: Frequently asked questions
Do directors need specialist cybersecurity knowledge to meet their legal obligations?
To ensure proper governance, directors and decision makers are expected to understand the strategic risks and to have enough knowledge to ask the right questions of cyber security risk management stakeholders, the board, and the company to support compliance.
Are directors responsible for cybersecurity failures caused by third-party suppliers?
Yes, directors retain responsibility and oversight when cyber services are outsourced. Directors should still take a hands-on approach to cyber risk strategies, and adopt a security culture. Directors are also still responsible for relevant risks, governance and maintaining standards throughout the organisation.
Can a board delegate cybersecurity oversight to a committee?
Committees can provide an important input to cyber security governance and risk mitigation; however, the responsibility still rests with the board and with directors. Accountability cannot be delegated to lower management or other committees.